Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendments
The amended claims 1 – 4, 7, 10 – 16 and 19 – 26 were considered under 35 USC 112, 101 and 103 for patentability over closest and analogous prior arts Paul et al (US 20200014713), hereafter Paul and Milazzo et al (US 20200186569), hereafter Mil have been fully considered and are persuasive. Claims 5, 6, 8, 9, 17 and 18 is/are cancelled.

Allowable Subject Matter
1.	Amended claims 1 – 4, 7, 10 – 16 and 19 – 26 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. 

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  Authorization for this examiner’s amendment was given in an interview with Lavar Oldham (attorney) for filed amended claims on 06-05-2021:
See the amendments filed on 06-08-2021.

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
As to the independent claim 1, the prior art of reference Paul teaches [0002, 0018-20] Playbooks are complex queries run against data collected from the network. Collected data includes alerts and activity/system logs from network devices and endpoint devices, network metadata, and full/partial packet captures. The data is stored in a centralized data store or in security information and event management tools... data collection, filtering, and accessing operations on streaming network data, permitting collection and access for analysis of relevant data [0042] across cloud service (Fig. 1); [0022, 29] the user analyzes the data and decides whether further investigation is warranted... the user writes targeted scripts for data collection for data that is relevant to the security threat... a SMTP event script causes a network device to detect a bad email link. When the bad email link is detected, the network management device activates a DNS event script to cause a network device to detect suspicious/malicious DNS communications... A data lake is used for retrospective analysis of security threat including [0039-40] brute force attacks; [0036] once the existence of malicious IP addresses is confirmed from the collected data, the user activates next script to locate the endpoints that have been compromised by communicating and receiving malicious files from those malicious IP addresses, [0052] data plane generates more network events by aggregating and processing data streams across both space and time to reveal patterns of interest.

Further, a second prior art of record Mil teaches [0020-21] security log information specifies various events associated with the particular managed endpoint devices that represent events of interest to security evaluations, e.g., failed login attempts, password changes, network traffic 

None of the other prior arts of record teach by themselves or in any combination, would have anticipated nor render obvious by combination the claimed invention of the present application at or before the time it was filed.  The prior arts of record fail to teach: network traffic protocol monitoring data across a cloud service, analyzes the collection of network traffic protocol monitoring data to identify anomalous behavior by attacker entities associated with IP addresses indicating a brute force attack by the attacker entities associated with the IP addresses. Based on the anomalous behavior, identifying brute force attack trajectory based on usernames or passwords associated with the attacker entities, and at least one of attack patterns or campaign attack characteristics. Compiling IP addresses associated with the attacker entities and the at least one of attack patterns or campaign attack characteristics into a reference data structure and prevent access to cloud service.

Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record. The same amendments and reasoning are applicable to independent claim(s) 10 and 16 mutatis mutandis.  Claims 5, 6, 8, 9, 17 and 18 is/are cancelled.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
	



/BADRINARAYANAN /Examiner, Art Unit 2438.